In this article, we compare and explain the search results and methods of Google Hacking’s intitle filter, which searches only sites with specific keywords in the title, and Criminal IP’s title filter.
What is Google Hacking?
Google Hacking is a service that uses Google Search and Google’s applications to find security vulnerabilities in the construction and computer code of a website. The information that can be collected with Google Hacking can be surprisingly diverse. In general, there is a method of narrowing the results to specific conditions using keyword search with quotation marks (” “) and filters such as filetype, site, inurl, and intitle.
Compared to Google, which collects data based on the web, Criminal IP (https://www.criminalip.io/) collects data based on IP and port information. However, if the collected information comes from a web port, results previously invisible in the Google search engine can be found using Criminal IP. In particular, using Google’s intitle: filter shows results for content from a website’s <title> tag, which has very similar functions to Criminal IP’s title: filter. Let’s look at some of Google Hacking’s search tips and compare them to Criminal IP features.
Searching for vulnerable directory listings using dead.letter
The dead.letter file is an error log generated when a specific error occurs in a Linux/Unix environment. ‘index.of’ is a string that can be viewed when visiting a website with directory listing vulnerabilities, with the search results yielding server addresses with full server accessibility.
<!DOCTYPE HTML PUBLIC “-//W3C//DTD HTML 3.2 Final//EN”>
<title>Index of /</title>
<h1>Index of /</h1>
Criminal IP can yield the same results as shown with the title: filter. Use the query shown below to access Criminal IP’s Asset Search results.
Criminal IP search results also show unique data that users cannot access on Google. In addition, Criminal IP identifies data by country, presence/absence of CVE vulnerabilities, and types of web servers involved.
Finding Remote Desktop Servers in Web format
Microsoft also provides web versions of RDP servers. In other words, this Google Hacking query can serve as a case example for finding an externally exposed RDP server.
Users can access identical queries by using Criminal IP’s title: filter.
It should also be noted that Criminal IP Image Search provides RDP screenshots for user convenience.
Detect Apache Test Pages in Default State
The screenshot below is the default welcome page you see right after installing the Apache server. This is a famous example of a vulnerability that can be found using Google Hacking.
Use the following query to yield the same search results using Criminal IP:
It is very evident that Criminal IP’s results tab shows far more data than what users can find using Google Hacking. This can be attributed to IT system set-ups, where systems installed in a default state often lack a domain to be attributed to. Therefore, compared to Google, which crawls domains more centrally, Criminal IP, which continuously collects IPs worldwide, can provide more detailed search results for default welcome pages.
We have previously covered the dangers of default welcome pages in our article, Default welcome page exposure: A Significant Security Risk.
Lastly, we would like to note that Google Hacking has far more filters than the intitle: filter we covered today. In addition, search result data can vary wildly between the applications used, with Criminal IP yielding more result volume at times and vice versa. Therefore, using both services can benefit users in collecting more comprehensive threat intelligence.